Facebook mass hack last month was so totally overblown – only 30 million people affected

Facebook users can relax and get back to interacting with quality content and authentic individuals on the social network.

Last month's deliberate theft of private account records from the internet giant, initially believed to affect 50 million or maybe 90 million accounts, turns out to be nowhere near that bad. Cough.

On Friday, the data-harvesting biz said a mere 30 million people were robbed of their authentication tokens – which could and were used to log into their Facebook accounts. That's only 1.34 per cent of Facebook's total active users – which says more about the out-of-control size of the antisocial network than anything else.

"We now know that fewer people were impacted than originally thought," said Guy Rosen, VP of product management, during a conference call for the media on Friday morning, Pacific Time.

Initial worries that the token pilfering might have led to the compromise of third-party apps implementing Facebook Login turn out to be completely unfounded. Rosen said Messenger, Messenger Kids, Instagram, WhatsApp, Oculus, Workplace, Pages, payments, third-party apps, advertising and developer accounts were not affected. Bullet dodged.

For one million of the token deprived, the attackers took no information. For 15 million, they obtained names, phone numbers, and email addresses, if present in their profiles. For the remaining 14 million, they accessed not only profile data fields, but quite a bit more:

Username, gender, locale/language, relationship status, religion, hometown, self-reported current city, birthdate, device types used to access Facebook, education, work, the last 10 places they checked into or were tagged in, website, people or Pages they follow, and the 15 most recent searches.

Basically everything you need to, say, answer someone's security questions to gain control of their account on a website.

The social network previously confirmed to The Register that the accounts of Facebook CEO Mark Zuckerberg and COO Sheryl Sandberg were among those affected.

The attackers, Rosen said, would not have been able to access any message contents, unless the victim happened to be a Facebook Page admin whose Page had received a message from a Facebook user.

The anatomy of a hack

As recounted by Rosen, the attackers took advantage of a vulnerability in Facebook's code that existed between July 2017 and September 2018.

On September 25, Facebook determined that a spike in activity, identified previously as unusual, represented an attack. The anomalous traffic began on September 14.

Facebook: Up to 90 million addicts' accounts slurped by hackers, no thanks to crappy code

Asked whether Facebook could provide any further insight into the identity, location, or intentions of the attacker(s), Rosen said Facebook has been working with the FBI to investigate the incident and the agency asked the company to refrain from discussing who might be responsible.

The synergy between three separate software bugs allowed the miscreants to misuse Facebook's View As feature – which lets users to see their accounts as someone else would – to steal the access tokens associated with the viewed account. Such tokens are what allow users to interact with Facebook without logging in ever time they send or receive data from the site.

With an initial set of accounts under their control, the attackers, said Rosen, exploited the vulnerable code to run a script that collected access tokens from their friends and the friends of their friends, representing a group of about 400,000 people. They then used the friend lists of those 400,000 seed accounts to steal access tokens from 30 million accounts.

On September 27, Rosen said Facebook closed the vulnerabilities, secured affected accounts, and reset access tokens for those accounts. He said Facebook is looking into the possibility of smaller scale attacks.

Expect a call

Facebook has posted a summary of the incident in its Help Center and plans to send customized messages to the 30 million people affected – that's the sort of thing you can do when you have access to people's data – explaining what information was nabbed and steps that can be taken to prevent further damage.

"People's privacy and security is incredibly important and we're sorry this happened," said Rosen.

That sorrow has limits. The Register asked Facebook whether it intends to pay for identity theft monitoring for the 30 million people affected, a common act of contrition following data thefts.

A Facebook spokesperson said, "Not at this time; the resources we are pointing people toward are based on the actual types of data accessed – including the steps they can take to help protect themselves from suspicious emails, text messages, or calls."

Nonetheless, Facebook may end up opening the corporate coffers to make things right. The company offered no details about how many of those affected reside in the EU where the data protection regime (GDPR) allows for penalties that bring tears to the eyes of accountants.

"We'll have to see what Facebook discloses about potential liability if any exists," said Pravin Kothari, CEO of CipherCloud, in an email to The Register. "The calculations of the potential fines under GDPR are a bit mind-boggling with any possible impact to millions of users." ®